The Internet of Broadcast Things

THE INTERNET OF BROADCAST THINGS

Media companies will participate in the explosion of the IoT. But “best practices” are still evolving. How should media professionals practice safe IP? Radio needs a framework to hang its IoT on. A practical guide to using and securing IP.

Sponsored by March 2017

BROADCAST RELIABLE From the Publishers of Radio World Things 4 A practical guide to using and securing IP Abdul Hakim: IP connectivity is beneficial to broadcasters in so many Cybersecurity Training Should ways, creating more powerful networks, improving Be Mandatory control, allowing remote troubleshooting and so much more. But “best practices” are still evolving. How should 5 media professionals practice safe IP? We wondered Wayne Pecena: what kind of questions need to be asked as radio contemplates what could be called the growing Internet Security Is a Lot of Non-Stop Work Paul McLane Editor in Chief of Broadcast Things. What role do firewalls, virtual private networks, password policies etc. play? How can we learn from expert engineers 9 in their work? How are manufacturers responding to the need for more Kevin Rodgers: information about responsible IP management? What recommendations PhoneHome Creates Virtual are put forth by organizations like the Department of Homeland Security, Session in Cloud the FCC and the NAB? Our sources include Wayne Pecena, assistant director of educational broadcast services at Texas A&M University and a widely respected public speaker on IP networks in broadcasting. We heard some very practical 12 advice from Randy Woods, technical director for the Central Florida Josh Thurston: Educational Foundation. It’s All About the Features Abdul Hakim of the Digital Production Partnership told us that companies and Value should approach cybersecurity issues like they do workplace health and safety training. In the article “A Framework to Hang Your IoT on,” we give you a peek inside a report from an FCC advisory group about what broadcasters can 14 and should be doing. Kelly Williams at NAB pointed us to excellent English- Randy Woods: language resources to help translate that report for non-techies. Assume That Everyone Josh Thurston, a security strategist in the office of the CTO of Intel Is a Criminal Security/McAfee, reflected on what considerations matter most in this discussion. And Kevin Rodgers of our sponsor Nautel talked about how the company’s PhoneHome offering fits into this discussion. My thanks to Radio World contributor Tom Vernon for his participation in 16 this project. Kelly Williams: This is Radio World’s 30th eBook. When we began our series in 2012 we NAB Embarks on hardly imagined how popular they’d become. Thank you for reading. Please Cybersecurity Evangelism let us know how we can make the series more useful to you.

19 A Framework to Hang Your IoT on THE INTERNET OF BROADCAST THINGS Radio World | March 2017 Cover Art Credit: iStockPhoto.com/jamesteohart 3 Cybersecurity Training Should Be Mandatory Q Abdul Hakim says treat it like A workplace health and safety training

As senior project manager at the Digital Production organization from hacks Partnership, Abdul Hakim has 13 years’ experience and cybercriminals? in the broadcasting and IT industry; he has a A: Making cybersecurity comprehensive background in project management someone’s responsibility and operations at the BBC as well as in the commercial is a crucial step to take sector. if an organization is to protect itself from hackers and cyber criminals. That person needs to be senior and Q: Are media organizations a bigger target today for cyber afforded the budget to be able to tackle any gaps in criminals? defenses. They need to have the mandate to make the A: Two or three years ago, cybersecurity was a non-issue necessary changes to make sure the organization is for most media groups. But now it’s become a standing protected. item at board meetings and at the top of corporate risk Secondly, it’s widely acknowledged that you can registers. It’s also an area to which a lot of time, attention have the best defense in the world, with state-of-the- and resources are assigned. art firewalls and virus/malware scanning tools, but Cyber attacks on media companies are nothing new, the weakest link in the chain is people. It’s still all too but the turning point seems to be around 2008, with an common for people to choose obvious passwords, increase in both the number and severity of attacks. In or not to change passwords at all, and for people to 2011 Sony was hacked, and reportedly details of a million download random software, games and other content user accounts were stolen from its Playstation network. from compromised or malicious websites. Training and More recently details of data loss have emerged for many awareness are therefore hugely important. Cybersecurity high-profile companies such as Carphone Warehouse, training needs to become mandatory, just like workplace TalkTalk, Yahoo, LinkedIn, with details of several million health and safety training. accounts stolen. Furthermore, the current global climate has made Q: What sorts of precautions do you need to take when media companies an attractive target for hostile groups, traveling abroad with encrypted devices? who see the disruption of broadcast operations as a A: In some countries, local laws prohibit you from major opportunity to gain exposure. A high-profile taking in encrypted devices, while in others, export laws example was the attack on TV5 in France. prohibit you from taking out encrypted devices. It’s more about the encryption technology than the device itself. Q: Do you have any numbers on percentages of cyber For those countries, you will need to know how to turn attacks, or percentage increase in recent years? off encryption. If you’re carrying a production laptop it A: According to the PwC Global State of Information can take a day or two to fully decrypt, so you will need to Security Survey 2017 report, the Entertainment, Media allow time for that. and Communications companies surveyed reported If you’re traveling to any hostile territories or countries an overall increase since 2014, reaching 7,674 incidents where state-sponsored cyber hacking is common, in 2016. The total financial losses as a result of these it’s best to take a fresh device installed with only incidents soared by 81 percent in 2016. the software you need. Avoid sending sensitive or confidential information over the Internet as these are Q: What are some of the top tips to protect yourself or your heavily monitored by state agencies. n

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 4 Security Is a Lot of Non-Stop Work Q Wayne Pecena preaches the gospel of A appropriate protections

Wayne M. Pecena is assistant director information attention to breaches, it technology of educational broadcast services at Texas might be tempting to just A&M University. He serves as the director of engineer- disconnect everything. ing for KAMU Public Radio and Television. He was Instead, how can media the 2014 recipient of the Radio World Excellence in professionals do it smart, Engineering Award. and practice “safe IP”? A: It’s really all about capability and flexibility. Having Q: Give us the “10,000-foot view” on internet security in the an internet connection provides things such as program broadcast plant. origination, simplified device remote control, as well as A: Security is an ongoing process that, unfortunately, remote management and equipment diagnostics. tends to be treated as a one-time, set-it-up-and-forget-it Appropriate protection(s) must be used. The days event. It involves continuous assessment, monitoring and of the open Internet are long gone. I am a proponent action steps. of segmented networks, which provide performance Security is a lot of non-stop work. For the broadcast enhancement and are also the platform for multi-level engineer actively engaged in maintaining the station security defense implementation. The VLAN, VPN and a technical plant, network security is the “Permanent firewall are some key components used to build a secure Employment Act.” environment. A firewall is important, as connections to the outside Q: Generally speaking, what are the key advantages to world are usually necessary. Inside the station, don’t over- broadcasters of having internet connectivity? With all the look protection among isolated internal networks. Having said all that, it is important not to become overly reliant on a firewall and assume that everything is safe just because you have one. Finally, utilize the OSI model as a structured guide, and implement security at layers 1-3 at the minimum.

Q: Passwords seem like such a basic concern, but we probably hear about problems there more than any other. What can you recommend to help radio organizations better protect their assets? A: Passwords are a surprisingly overlooked issue. The first step is to change default device passwords. This is too commonly overlooked. Then develop your own approach to creating unique and strong passwords. That means something other Fig. 1: This image from a Pecena presentation about IP network security identifies than your station’s call sign, slogan or attributes of a secure network. Common threats to network infrastructure include DHCP snooping, ARP spoofing/IP spoofing, rogue router advertisements, denial of frequency. service attacks and application layer attacks. Continued on page 6 ❱

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 5 ❱ Continued from page 5 A weak password is usually seven characters or less, and consists of dictionary words. Such passwords are dangerous because a hacker can run a script that goes through a dictionary trying words as passwords. And it can do this in fractions of a second. I always recommend passwords that are made up of eight or more characters, contain- ing a mixture of letters and numbers, special characters and upper and lower case. It’s also important to avoid using the same password across multiple sites. Otherwise, once a hacker has one password they will have access to all of Fig. 2 your accounts.

Q: Let’s talk a bit more in depth. Can you share some important highlights from your presentations about this topic? A: As I said, security is an ongoing IT process and should never be considered a one-time, set-up-and- forget process. Simple-to-implement best practices towards creating a secure network environment include changing host default logins; disabling unnecessary host services; closing unused host TCP/ UDP ports; keeping your system software updated and patched; terminat- ing the use of unsecure protocols like Telnet; and using encrypted communications paths such as VPN. (See Fig. 2.) Firewalls are an essential tool in the network security toolbox. However, Fig. 3: The Open Systems Interconnection (OSI) Model don’t over rely on a firewall as the sole protection device. Have more than one “lock” on your The Castle approach, also known as “Defense-in- door! Deny everything. Open only needed ports. Imple- Depth” approach, implements multiple perimeters or ment stateless source and destination filtering through layers of security such that if one perimeter is breached an Access Control List (ACL). another exists to prevent further exploit. Whereas this Segment networks into protection zones. Minimize the may be a new approach to network security, it is a centu- network size/scope. Learn from the “Castle” approach. ries-old approach beginning with the design of a castle Keep in mind that a firewall adds latency. This could where the outermost perimeter is protected by a “moat” impact real-time media found in a broadcast plant. Mit- and additional perimeters must be conquered to reach igate by having adequate firewall hardware resources the core inhabitants or treasures. (processor/memory/interfaces). A practical implementation approach is to use the OSI Model “Data Flow” layers as a structured guide to net- Q: What is the Castle approach? work security (Fig. 3). A: There are several attributes that define a “secure” Start at the Physical layer and limit physical access to network. These attributes include utilization of a system network infrastructure hardware and cabling. This can design approach that establishes multiple layers of secu- range from electronic access controlled wiring distribu- rity. There is no single technique to securing a network tion closets to simple lockable rack equipment covers. infrastructure due to the diversity of potential threats. Continued on page 8 ❱

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 6 Comrex Will Introduce ACCESS NX at NAB 2017

Built For The World Of Today ACCESS NX

Ten years ago, we developed ACCESS. ACCESS NX features a hardware platform In those ten years, IP audio transmission that is optimized for running CrossLock, technology has continued to grow by Comrex’s custom reliability layer. leaps and bounds. The state of remote CrossLock enables both powerful error IP infrastructure today is light years correction and network bonding, and removed from the infrastructure of the intelligently monitors and dynamically previous decade. adjusts network connections in real-time. In response to these trends, we’ve continued to evolve as well. Our expertise has grown significantly - we’ve optimized our ACCESS firmware continuously over time, and we’re proud of the way ACCESS has grown. ACCESS NX’s updated hardware We felt that our beautiful updated platform improves user experience software deserved a hardware platform with faster processors and a five-inch that was built for the world of today, capacitive touch screen that doesn’t not the world of ten years ago. So we require a stylus. Other notable hardware redesigned ACCESS from the ground up, features include a new second mic and created ACCESS NX. input, phantom power, and an internal battery. ACCESS NX will be compatible with an ACCESS clip-on channel mixer, a new accessory which adds four mic/line inputs and headphone outputs.

Bring your remotes into the future. Visit us at NAB at Booth# C1633

Write to us at [email protected] or call 1-978-784-1776 / 1-800-247-1776 CC BY-SA 2.0 BY-SA CC

❱ Continued from page 6 automation systems and a media At the Data-Link layer, imple- content storage server. These plat- ment managed Ethernet switch forms likely have a common oper- security provisions. Control what ating system such as Windows or can be connected to the network Linux at their core; however these by utilizing switch port security. systems are often “stripped down” Configure your switch to shut- versions of the operating system down port when a violation occurs. or an embedded operating system Implement VLANs to segment or that often lack the robust operating separate network traffic into secu- Fig. 4: The Castle or “Defense-in-Depth” system security systems. rity domains. This approach also approach to network security is based upon a From a practical standpoint, can centuries-old concept. can improve network performance I execute a common antivirus pro- by limiting a network broadcast domain. tection program on my EAS encoder/decoder? Likely not! At the Network layer, implement firewall filtering tech- So the broadcast plant offers additional challenges niques and Layer 3 encryption such as IPSec between that must be addressed outside the scope of the broad- critical network devices and/or hosts. Firewall techniques cast device. Thus, techniques outlined in virtually all of include stateless implementations via Access Control Lists the responses in this eBook point to solutions such as (ACL) as well as statefull implementation at the network network isolation or segmentation, firewalls with mul- border. Implement Ingress and Egress filtering. Deny by tiple DMZs or security zones, limiting host communica- default. Be a good network neighbor by implementing tions scope to or from the broadcast device, and outright egress filtering. Do not overlook internal firewalls. eliminating outside access to the device. The Transport layer provides another opportunity to With regards to remote access, I am a champion for an implement encryption. Layer 4 encryption includes tech- IP-based KVM switch of your favorite brand. I like Raritan. niques such as Secure Sockets Layer (SSL). Of course the KVM switch should be accessed via a VPN And finally, a secure network establishes an “Audit when offsite. Trail” by tracking and monitoring of network activity. Monitoring of unusual network activity is often an indica- Wayne Pecena will give the presentation “Is Your Network tion that a breach has occurred. Audit trails are the key to Really Secure?” at the 2017 NAB Show Broadcast Engineering determining how a breach occurred and to the develop- and Information Technology Conference on Wednesday ment of preventative measures for the future. Logging of April 26 at 4:30 p.m. He’ll provide an overview of tools to denied access attempts gives you an indication of poten- verify and ensure that desired network security provisions tial threats being imposed on the network. are actually in place, with a focus on penetration testing and In summary, a network is considered secure when public domain security tools like Nmap. n Defense-in-Depth design techniques are implemented with restricted access via internal and external firewall techniques where all activity is monitored and logged.

Q: You’ve also noted that many discus- sions of IT security focus on protection of servers and desktop workstations but that this might not be sufficient for broadcasters. A: Servers and desktops commonly incorporate robust security features based on their native operating system. Think about how many Tuesday Windows updates are security related. Outside of the administrative offices, the typical broadcast plant has functional devices in the program content stream such as an EAS decoder, maybe a transmission codec, Fig. 5: Applying a layered network design.

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 8 PhoneHome Creates Virtual Session in Cloud Q Kevin Rodgers says the service makes A customer support a proactive endeavor

Kevin Rodgers is president and CEO of Nautel, a A: It changes everything. manufacturer of radio broadcast transmitters and Customer support has sponsor of this eBook. shifted from a reactive to a proactive endeavor. Q: Tell us a bit about the origins of Nautel’s PhoneHome Our customer service service. techs can use PhoneHome to analyze data in real time, A: We launched the service in 2013. Our goal was to even accessing the live AUI (Advanced User Interface), or motivate customers to connect their transmitters to to view the state of a customer’s transmitter at any time the internet. The biggest restraining force was security leading up to a fault. This unique diagnostic approach issues surrounding a conventional IP connection that allows our support staff to travel back in time and gave access to all command and control functions. review the events leading up to and during an alarm Our strategy with PhoneHome was to build a product occurrence, giving them valuable insight into how a that sends information rather than receives it. Our transmitter is behaving before, during and after an alarm, as well as how this behavior may be related to the alarm event. Before PhoneHome, the techs were usually called after a failure, and had to rely on the recollections of the customer, which might be incomplete or inaccurate. This proactive support allows us to diagnose problems quickly, overcome language barriers and get customers back on the air faster.

Q: Participation in the PhoneHome service is voluntary. What sort of response have you had from customers? A: We’ve been very pleased. So far, around 600 An image from the Nautel website shows how to activate customers have signed up. We expect that number PhoneHome in the user settings of the transmitter AUI. continue to increase, both from new sales and also as transmitter sites in extremely rural areas finally get transmitters already collect an enormous amount of internet access. data. So we proactively send this information to the cloud via the internet. There is no need for customers to Q: Tell us about one of your success stories with grant access through the network’s firewall. PhoneHome. PhoneHome creates a virtual session that takes place A: As we were scanning the PhoneHome data that in the cloud, making it firewall friendly. comes back to Nautel, we saw one customer had a power module that had failed. Since it was still under Q: How has this changed the way you handle tech warranty, we shipped him a replacement before he support? asked for it, or even realized that he needed it. n

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 9 Keeping Your Broadcast IP Network WHAT KIND OF QUESTIONS NEED TO BE ASKED WHEN USING IP AUDIO IN THE GROWING Safe in the Age of IoT INTERNET OF THINGS? By Greg Shay, CTO, the Telos Alliance Is the network secure? Controlling access to the network used for broadcast is the first, best defense. With a com- pletely open and uncontrolled network, it is difficult for the attached devices themselves to make the network behave the way it needs to.

Said another way, the goal of IP networking for broadcast is to use IP network technology to get the broadcasting job done. That’s not saying the same thing as broadcasting over unsecured or uncontrolled networks. It is important see this fundamental difference.

Is the broadcast network openly interconnected with the general internet? This should give pause. Some of the power of IP connectivity is the convenience of access WHAT ROLE DO FIREWALLS, (for example the chief engineer, in the middle of the VIRTUAL PRIVATE NETWORKS, night from home), but access can be enabled through AND PASSWORD POLICIES secure methods, not open connections. AT THE NEW CUMULUS CHICAGO, WHICH CONSOLIDATES FOUR STATIONS INTO ONE STYLISH, PLAY? STATE-OF-THE-ART, ALL-IP FACILITY, NETWORK SECURITY IS A TOP PRIORITY. These are all accepted best practices for securely enabling connection and access to IP networks. Considering an Audio over HOW DO I KEEP MY BROADCAST The simple precaution of not leaving default pass- IP (AoIP) network for your words, for example, has long been best practice IP NETWORK SAFE? in the IT industry. And there are a range of other facility makes sense; it’s faster, techniques beyond these. We can expect smarter, cheaper, and better than previous For safe IP, media professionals should use best practices borrowed from the IT safer and more capable networks in the future. technologies. By converting to AoIP, industry, and make use of the knowledge, skills, and capabilities of IT professionals and expert contract engineers. In the same way broadcast has borrowed you not only tap into the power of To inherit these present and future network ad- technology from the IT industry, we should also borrow best practices for IT current technology, you allow your vantages, we must leverage IT equipment for security and reliability. facility to leverage the enormous uni- broadcast, so that broadcasters don’t themselves verse of “off the shelf” IT devices that have to invent and develop signal transportation are used worldwide, and not just in HOW DO FACILITIES AVOID TENSIONS OVER methods and equipment that essentially do these the broadcast industry. WHO CONTROLS THE STUDIO, THE ENGINEER same jobs. Just like those connected IT devices, OR THE IT PRO? Having a good IT professional, an even better di- IP-based broadcast gear can open vision of labor, and being vigilant will make your up your network to vulnerabilities, IP broadcast audio represents a different type of IP network traffic than many in broadcast network safe and secure. which is why it’s important to take the IT worlds of banking and web commerce transactions are used to. But the measures to secure it. Broadcast fundamentals of IP networking are the same. Most valuable is a good IT per- security has always been a priority. son who is open-minded and curious, who understands that broadcast media is Since the first broadcast cable, there simply a new and interesting capability that the same IT networks have always was a pair of wire cutters. The security had. This attitude is the doorway to productive and good practice, rather than methods are just different now. Here operational conflicts. The fact that one can do banking over the internet (the Interested in building an IP studio? are some of the most common ques- least secure of all networks), is an example of safe IP networking, and IT engi- Download the Telos Alliance’s new tions I get asked about network safety, neers are making that possible. AES67+AoIP ebook now. and our advice for keeping your net- A healthy division of labor is for IT to plan, implement, and maintain the reliable work impenetrable. network to make the connections. But the media professionals make the interesting shows, the high-quality programming, that the audience wants to hear. Only the audio professional knows if the end result sounds good, and what it ©2017 TLS Corp. The Telos Alliance®. All Rights Reserved. C17/19054 takes to produce that. Advertorial Keeping Your Broadcast IP Network WHAT KIND OF QUESTIONS NEED TO BE ASKED WHEN USING IP AUDIO IN THE GROWING Safe in the Age of IoT INTERNET OF THINGS? By Greg Shay, CTO, the Telos Alliance Is the network secure? Controlling access to the network used for broadcast is the first, best defense. With a com- pletely open and uncontrolled network, it is difficult for the attached devices themselves to make the network behave the way it needs to.

Is the broadcast network openly interconnected with the general internet? This should give pause. Some of the power of IP connectivity is the convenience of access WHAT ROLE DO FIREWALLS, (for example the chief engineer, in the middle of the VIRTUAL PRIVATE NETWORKS, night from home), but access can be enabled through AND PASSWORD POLICIES secure methods, not open connections. AT THE NEW CUMULUS CHICAGO, WHICH CONSOLIDATES FOUR STATIONS INTO ONE STYLISH, PLAY? STATE-OF-THE-ART, ALL-IP FACILITY, NETWORK SECURITY IS A TOP PRIORITY. These are all accepted best practices for securely enabling connection and access to IP networks. Considering an Audio over HOW DO I KEEP MY BROADCAST The simple precaution of not leaving default pass- IP (AoIP) network for your words, for example, has long been best practice IP NETWORK SAFE? in the IT industry. And there are a range of other facility makes sense; it’s faster, techniques beyond these. We can expect smarter, cheaper, and better than previous For safe IP, media professionals should use best practices borrowed from the IT safer and more capable networks in the future. technologies. By converting to AoIP, industry, and make use of the knowledge, skills, and capabilities of IT professionals and expert contract engineers. In the same way broadcast has borrowed you not only tap into the power of To inherit these present and future network ad- technology from the IT industry, we should also borrow best practices for IT current technology, you allow your vantages, we must leverage IT equipment for security and reliability. facility to leverage the enormous uni- broadcast, so that broadcasters don’t themselves verse of “off the shelf” IT devices that have to invent and develop signal transportation are used worldwide, and not just in HOW DO FACILITIES AVOID TENSIONS OVER methods and equipment that essentially do these the broadcast industry. WHO CONTROLS THE STUDIO, THE ENGINEER same jobs. Just like those connected IT devices, OR THE IT PRO? Having a good IT professional, an even better di- IP-based broadcast gear can open vision of labor, and being vigilant will make your up your network to vulnerabilities, IP broadcast audio represents a different type of IP network traffic than many in broadcast network safe and secure. which is why it’s important to take the IT worlds of banking and web commerce transactions are used to. But the measures to secure it. Broadcast fundamentals of IP networking are the same. Most valuable is a good IT per- security has always been a priority. son who is open-minded and curious, who understands that broadcast media is Since the first broadcast cable, there simply a new and interesting capability that the same IT networks have always was a pair of wire cutters. The security had. This attitude is the doorway to productive and good practice, rather than methods are just different now. Here operational conflicts. The fact that one can do banking over the internet (the Interested in building an IP studio? are some of the most common ques- least secure of all networks), is an example of safe IP networking, and IT engi- Download the Telos Alliance’s new tions I get asked about network safety, neers are making that possible. AES67+AoIP ebook now. and our advice for keeping your net- A healthy division of labor is for IT to plan, implement, and maintain the reliable work impenetrable. network to make the connections. But the media professionals make the interesting shows, the high-quality programming, that the audience wants to hear. Only the audio professional knows if the end result sounds good, and what it ©2017 TLS Corp. The Telos Alliance®. All Rights Reserved. C17/19054 takes to produce that. It’s All About the Features and Value Q Josh Thurston reflects on what A considerations matter most

Josh Thurston is a security strategist in the office of greater for a piece of the CTO of Intel Security/McAfee. He also co-founded hardware instead of a merchant services company that developed a secure software, but technolo- mobile credit-card processing solution over digital gy improves so fast that I see that becoming a non-issue. wireless devices. I also take into consideration the outcomes and use cases a security team is looking for. For example, if Q: Is some hardware better than others (i.e. VPN routers)? Do you have a very static environment where things don’t you get what you pay for? change, hardware may be the way to go. On the other A: Hardware is getting to a point these days where it hand, if you are moving to a virtual shop, and you want is as close to a non-factor as it gets. What really comes features such as VMware Vmotion, then software may be into scope are the features, scalability and value. A lot better for you. In fact, there are a number of companies of hardware is also essentially going away because that build the same firewall in the physical and virtual companies are moving their infrastructure to the cloud. space. I have clients that have moved everything short of a physical router running out of their office into the cloud. The remaining hardware is purchased from manufacturers who offer the best value and the best If you have a very static environment quality. There are reasons why companies like Cisco, Intel, Juniper and others are all leaders in their own categories: where things don’t change, hardware They make great hardware. may be the way to go.

Q: Are hardware firewalls superior to software firewalls? A: Once again, it is all about the features and the value. There are instances where throughput or port density is Q: Sometimes reporters connect their codec or iPhone to a WiFi network, or management access scheduling software from a remote site. These types of actions leave the system “Get Ready for the World of the IoT” vulnerable to “Man in the Middle” attacks. What are some best practices that broadcasters can apply to protect For more from Intel Security themselves from such attacks? Group about the implications of the A: Two solutions come to mind. First, there are Internet of Things, see our inter- applications for smartphones and tablets for a VPN to view in the March 29 issue of Radio encrypt your tunnel. Second, you can use SaaS Proxy World with Gary Davis, chief con- from a number of vendors. At McAfee, we offer a hybrid sumer security evangelist for the solution for proxy and we can also add in Cloud Access company. “We’re basically bringing Security Broker (CASB) to monitor the visualization, online about a million devices per encryption and protection using Data Loss Prevention. hour right now,” he said, “and one of the challenges we’re This would be a great way to protect connections and seeing from a security perspective is that most of those content. The SaaS proxy-gateway option would be my devices are being brought online without any thought main preference, and the VPN tunnel would be the about security.” second option. n

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 12

Assume That Everyone Is a Criminal Q Randy Woods says radio engineers need A to learn to think like nefarious people

Randy Woods is technical director for the Central prietary data into Florida Educational Foundation. He recently shared our RDS system, IT secrets in an NAB seminar titled “Quality Engi- which was then neering on a Tight Budget.” picked up on specialty radio Q: With all the news about breaches, it must be tempting to receivers. In this type of situation, you have to assume just “disconnect everything.” How can professionals “do it the worst. You have to assume that the vendor, or bad smart,” and practice “safe IP”? employee, has a malicious intent, and once they have A: Yes, it’s tempting, but we would get so much less access to their device, that they might use that device to done. get to other devices on your network. The best option is From a security standpoint, we need to focus on to put their devices on an above mentioned DMZ, and segmentation and isolation. Depending on what to not allow them to connect to anything they do not the communications requirements are, this can be need to. In my case, they only needed to talk to the RDS accomplished at layer 2 with switches, and VLANs. encoder, so on their DMZ, I granted no outbound access. Another name for this is a de-militarized zone, or DMZ. This isolates traffic, but you still need something to Q: How do firewalls play into this? connect that segmented network to the networks A: At the internet connection point, firewalls are an abso- that it needs to communicate with, and isolate it from lute minimum requirement. Additional processes such the networks that it doesn’t. Using a router, or routing as intrusion detection and/or prevention should also be process, you can apply appropriate access control lists considered when you are protecting critical data such as (ACLs) to the router interfaces. personal information from your clients. If the necessary communication is limited to a known list of IP addresses or networks, this is an easy and Q: How about virtual private networks? acceptable solution. If the communication is from the A: VPNs come in two general forms: remote access, and internet in general, or the device needs to talk to the point-to-point. Remote access VPNs allow your staff to internet, then deeper packet inspection is preferable, securely access your private network. A big benefit to which require a firewall. If you are using some Cisco using this is that you don’t have to open holes in your routers and switches, they have a built-in firewall option firewall to allow remote administration. Too often a called context based access controls, or CBAC for short. broadcast engineer will open up a hole to do VNC or This is a cost-effective firewall, but it has limited band- remote desktop access. At that point, your network secu- width forwarding capability. Various other dedicated fire- rity is as strong as your password and/or your authentica- wall options are of course available. tion process. In my opinion, this practice should never be done. You are just asking to be breached. Q: What kind of questions should engineers and IT manag- Point-to-point VPNs are great for remote sites that you ers be asking about the “Internet of Broadcast Things”? can only get internet connectivity to. Again, they keep you A: The obvious challenge is to keep the bad guys out of from having to punch a hole in the firewall at either site. these devices. The less considered aspect is for devices This brings up another topic: Remote, shared sites. It is that you are granting third-party access to. not uncommon for a broadcaster to be leasing access in For example, we had an emergency alerting device a shared building. If a point-to-point VPN is used, gaining that we allowed the vendor to connect to, to inject pro- access to your studio facility is as easy as gaining access

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 14 to the remote site system, which in many cases is trivial. A: Just like it would be with a primary internet connec- Make sure you lock down your equipment at these sites. tion. First start with a managed firewall. If the ISP is only Strong passwords. Locked racks, and secured network to be used when the LAN connectivity is down, use ports. On most managed switches, there is a feature interior routing protocols to dynamically choose the net- called port security. This allows you to lock down the Eth- work’s default route. This done by prioritizing the default ernet ports to specific MAC addresses. If someone gains route coming from the backup ISP firewall lower than the access to your rack and tries to plug their laptop into your priority of the default route coming from the main ISP switch, they will not be allowed access. device. How to do that technically is outside the scope of this discussion, but is very easy to do in a managed net- Q: What is required to provide outside entities, such as alarm work using Cisco, or similar devices. companies and security services, access to a transmitter site network while maintaining security of the network? Q: What other questions should we in the industry be asking A: Limit their access to a single, static source address. If about this issue? they cannot provide that, then the answer is no. Then put A: Out engineering community need to learn how to their devices in a very restrictive DMZ. Only grant access think like nefarious people. I spoke with a naval com- mander in the cybersecurity division. Somewhere in that conversation, he said to me, “We love people like you. You build nice, neat, clean networks. Once we get in, we If a point-to-point VPN is used, gaining can get to anywhere we want.” That was a very offensive access to your studio facility is as easy statement, but unfortunately, very true. In my past career, as gaining access to the remote site I worked to build very robust, high-performing networks and systems. The game has very much changed. We now system, which in many cases is trivial. need to assume that everyone is a criminal, and protect our systems like our reputation depends upon it, because it does. to these devices over the absolutely necessary ports, and Q: Anything else we should know? never allow them outbound access that they don’t need. A: Many people assume they have some degree of ano- If their device needs access to the internet, that is not a nymity because there are so many devices on the Inter- problem. Just make sure you explicitly deny access to all net. They think someone with malicious intent would network address ranges inside your private network first. need to do a lot of detective work to find their site and Then allow them access to the internet. Tell them to use devices, but it’s really quite easy. Google’s DNS servers, 8.8.8.8, and an outside SMTP serv- The Shodan.io site is a search engine for the “Internet er if email is necessary. of Things.” By doing a Shodan search for your station’s call sign [and] Barix or Burk for example, you can see Q: What are the best secure methods for station personnel, pages of listings for broadcast devices that are visible on such as engineers, to access Ethernet-enabled or controlled the internet. Information such as IP address, site type, equipment at a transmitter site (e.g. secure port forwarding, stream mode, connection status and content type is VNC, etc.)? readily available. A: The best option is via a private connection such as You can save yourself a lot of pain by simply changing microwave, or maybe Metro Ethernet. If internet access the default password on these devices to something is the only transport, remote access VPN is the next best more robust. option. If that is not possible, consider something like If you’re not convinced that there is a crisis at hand, did TeamViewer. Make sure your password is solid, and that you know that there are now exploits for network print- you don’t let it get into the wrong hands. ers? Yes, printer can have agents installed on them to act as a Trojan horse, or to interrogate the print streams and Q: If a backup ISP service is employed at a site that is other- capture confidential information. I am now planning on wise LAN-connected to the studio, how is that securely inte- building a printer DMZ and isolating those seemingly grated into the network? benign devices as well. n

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 15 NAB Embarks on Cybersecurity Evangelism Q Kelly Williams talks about available resources A including the association’s education program

Kelly Williams is senior director, engineering and on the Department of technology policy in the Technology Department of the Homeland Security’s National Association of Broadcasters. He joined NAB website, although they in 1989 and has worked on technology innovation and tend to be more global has managed a portfolio of technical, regulatory and in scope. The top level legislative issues, most recently Next-Gen Television for the federal government is the National Institute of and cybersecurity policy as well as video accessibility, Standards and Technology (NIST). They are charged the Emergency Alert System and public alerting. He with creating the standards for cybersecurity that all served on the FCC’s CSRIC working group mentioned government agencies must adhere to, including the FCC. below. NIST has a number of reports and papers on its website under the Computer Security Resource Center. Q: What sorts of resources on cybersecurity are available The FCC responded to the NIST mandate by creating from organizations like the Department of Homeland CSRIC, the Communications Security Reliability and Security, NIST, FCC and NAB? Interoperability Council. Its mission is to provide A: There are a number of resources and documents Continued on page 18 ❱

This is one of several broadcast ecosystem architectures depicted in the report “Cybersecurity Risk Management And Best Practices” produced by a working group of the Communications Security Reliability and Interoperability Council.

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 16 Redeﬁning Radio for the last 25 years. With over 25 years of innovation, ENCO continues to push the boundaries of what’s possible in radio. From advances in remote production and control to virtualization to visual radio technology, ENCO continues to provide stations with the best solutions to reduce overhead, improve workﬂows and sound better. Contact us now to schedule a personalized demonstration for any of our solutions.

RADIO AUTOMATION • MUSIC SCHEDULING • TRAFFIC LOGGING • NEWSROOM • VISUAL RADIO • STREAMING IMAGING • VIRTUALIZATION • CLOUD • DISTRIBUTION

Visit us at NAB Booth N-2024

www.ENCO.com/NAB (800) ENCO-SYS cfb.com/ENCOsys d@ENCOsys ❱ Continued from page 16 recommendations to the FCC to ensure, among other Check Out These NAB Resources things, optimal security and reliability of communications systems, including telecommunications, media and public safety. Its most recent recommendations are on the FCC’s CSRIC IV website. It is important to remember that the federal government considers broadcasters to be part of the critical infrastructure, owing to their ability to keep the public informed in event of emergencies. For our part, the NAB has embarked on a cybersecurity evangelism and education program. There are two publications on our website, “The Essential Guide to Broadcasting Cybersecurity” and “35 Critical Cyber Security Activities All Broadcasters Should Know” [see sidebar]. The NAB has also created two webinars and The NIST publication “Framework for Improving two educational courses about cybersecurity. Looking Critical Infrastructure Cybersecurity” provided a ahead, we are considering creation of a cybersecurity broad approach to thinking about cybersecurity as certification program. well as practical guidance. In turn, the FCC’s Communications Security, Q: How have strategies to protect organizations from cyber Reliability and Interoperability Council took that attacks changed over the years? framework and offered communications providers, A: It used to be done largely with checklists. When you including broadcasters, recommendations based completed everything on the list, your system could on it. be considered secure. The problem with that was that Seeking to make that information more hackers could use the very same checklists to figure out digestible for stations, the National Association your soft spots. of Broadcasters then published “The Essential NIST has developed a strategy called the Framework, Guide to Broadcasting Cybersecurity,” picking where you determine your risk in five different out the most important broadcast-related categories. Your assessment of risk determines the path recommendations and making them more to security, resulting in a more targeted and unique accessible. And its authors DCT Associates approach. even boiled that down further to “35 Critical Cybersecurity Activities All Broadcasters Should Q: What kind of questions should engineers and IT Know.” You can download those two files here. managers be asking when using IP audio and other IP Why go to all this trouble? As the authors put accessible systems? it, “Among many broadcasters the chief desire is A: There are still a lot of systems out there that run on for a simple checklist to ensure that newsroom, Windows XP, which hasn’t had a security update in three transmission, remote units and video production years. Any system in use today needs virus protection, operations are sufficiently protected from scans and a software firewall. The best systems cyber intrusion and disruption. Because cyber incorporate Security by Design (SbD), meaning that the miscreants and threats are constantly evolving, system has been designed from the ground up to be static checklists no longer protect against such secure. Buyers should ask about the operating system things as mutating malware, ransomware, viruses of any equipment they are purchasing. Is it the latest or sophisticated attack campaigns. The NIST version? Is it updated regularly? Can it do virus scans, Framework and CSRIC recommendations represent and does it have a firewall? Has it been built using SbD a new way of thinking about cybersecurity, standards? n offering holistic approaches under which broadcasters can begin to behave differently to ensure continuous, reliable operations.” For more helpful resources, see the NAB’s Cybersecurity Resources page.

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 18 A Framework to Hang Your IoT on Q An NIST outline can help make sense of potential risks A for stations going down this road for the first time

Our description of the following document might put you to sleep. But adopting its advice could save you nightmares. In 2015, a working group of the Communications Security, Reliability and Interoperability Council produced a document called “Cybersecurity Risk Management and Best Practices.” Part of it was written by a Broadcast Industry Segment subgroup that developed recommendations to assist in reducing risk to broadcast critical on-air operations by applying a cybersecurity “framework” that had been spelled out by the National Institute for Standards and Technology. Members of this broadcast subgroup came from the National Association of Broadcasters, NPR, Nevada Association of Broadcasters, Monroe Electronics/Digital Alert Systems, CBS Television and the Public Broadcast Service. They encouraged broadcasters to use a “risk management matrix” provided in the document to help with their cybersecurity efforts. The CSRIC report is well worth reviewing, including the full broadcast section (pages 35–51; find it here). But below is a particularly relevant excerpt from the “Illustrative Use Cases” section of the report.

Cybersecurity involves all broadcast stations regardless 1) What are you trying to protect? of size. As a broadcaster you may think there is no real If you have a news organization there are many sys- potential risk to your business from cybersecurity attacks tems that are vulnerable for attack. These include but since your business simply puts news and entertainment are not limited to: news room computer system, playout over the airways. servers and automation, graphics machines, news report- But, consider how many stations have a web presence ers’ laptops, and cellular devices used to bring stories in and are now streaming the morning news and traffic from the field. A firewall is good but cannot protect from reports. And that many stations have sophisticated finan- bad practices such as not providing controls on network cial system so folks on the road can access everything access, unprotected laptops, and “thumb” drives intro- from the viewer database to sales tools. In engineering, duced to the network and employees visiting untrusted just about everything has an internet connection now web sites. (e.g., the EAS system is directly connected to FEMA and National Weather Service for Emergency Alerts). 2) Who is responsible/involved in the process? The NIST Framework can help make sense of potential Cybersecurity isn’t someone else’s job, it is everyone’s cybersecurity risks for stations going down this road for job. Support from all stakeholders is the key to success. the first time. The first step is to take a look at the new The support for cybersecurity needs must start at the cybersecurity framework and make it a part of your busi- leadership level and everyone from the General Manager, ness. There are many resources available and technical Programming, News Director, Sales Manager, HR, IT, and expertise can be either your internal IT department or an Engineering needs to understand and support these external cybersecurity specialist. efforts. As a local radio or television broadcaster you have a commitment to your community for which you are 3) How do you tackle the Framework? What do you do first? licensed. Making cybersecurity part of your business pro- Once the station leaders support the initiative, bring tects your revenue, your employees, your viewers, and together the stakeholders and provide the guidance and your community at large. The best way to get started is education regarding what is involved and what each indi- start small and identify what needs to be protected first. vidual’s roles and responsibilities are. You may find once Continued on page 20 ❱

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 19 ❱ Continued from page 19 Proper cybersecurity can work for all businesses and the people are educated there will be better understanding framework can provide the roadmap. of the process (such as taking systems down to install latest security patches). Cybersecurity can be made to fit A. Broadcast Radio/TV Station/Hub Assessment any culture. 1) Internet Access — In a fast-paced operation where both resources and time are scarce, there is a need to 4) How did you determine what categories and subcatego- ensure proper security protocols are communicated and ries are the most important? How did you implement the followed on a regular basis. In this case, employees are Framework guidance? aware of the company’s goals and strategy for security, Review the framework and focus on what is most employees are trained and operating procedures and important to protect your “critical” systems and work out protocols are established and communicated. Examples from there. Businesses can approach the framework in of this could include use of only “trusted” internet sites, a many ways. It doesn’t matter if the easy stuff goes first well-established email policy to ensure employees avoid or if the more critical does, but doing nothing is not an opening email from “unknown” sources, and discipline in option. using company and personal resources. This is defined in the analytical framework in several areas: 5) What are your plans for the future in regard to progressing • Risk Management Strategy in maturity? • Awareness and Training Once you get through all the initial items on the cyber- • Communication security framework you may find the more you move into to it, the easier it gets. You can then even start on some 2) File/Content Delivery — Broadcasting is moving towards of the items from the “big guys” to help your continuous a more IP-based infrastructure where videotape content improvement process. You may still get groans from the is being replaced with file based content. These files are reporters when you make sure their machine is scanned large in size and may require special high-speed net- before they can get on the network — but they at least works and high-throughput storage systems. Security now will know the importance of good cybersecurity. Continued on page 22 ❱

While local radio stations may not have enterprise-level networks as larger broadcasters do, there are many areas where the station network connectivity provides critical services to its audience and would necessitate cybersecurity measures. Like the image on page 16, this is one of several broadcast ecosystem architectures described in the CSRIC report.

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 20 Comrex To Display New Product, Opal, at NAB 2017

Have you ever really looked So what is it? forward to hearing an interview Opal is short for “Opus Portal” - it’s an IP on a radio program? audio gateway. Opal transmits audio using the Opus encoder. Once installed, Opal Maybe the interview was with a celebrity serves a web page to anyone who accesses you admire, or a pundit whose views it through a browser on a computer or interest you. Maybe it was with an athlete, Android device. Once the web page is or someone at the center of a recent loaded, the user can click a button and scandal. Regardless of who it was, when transmit audio from their computer or it came time for the interview, the guest phone with high fidelity and low delay. called in to the studio using a cellphone, and the audio was muddy and difficult Opal can support two discrete to hear. It was hard to understand what connections at once. Opal occupies 1/2U they were saying, and so the entire thing of rack space, and two can fit side-by- felt a little disappointing. side in a 19” rack shelf. Connections to Opal can only be made from browsers This is why we developed Opal. that support WebRTC (Chrome, Firefox and Opal at this time). Opal makes call-ins sound great. Perfect for coordinating call-ins with guests who have no technical expertise, Opal provides near-studio quality audio with consumer grade equipment. More importantly, connecting with Opal is just as easy as making a phone call - guests don’t need to fidget with settings or install apps to connect. All they need to do is click a link.

Ready to make your call-ins sound great? Visit us at NAB at Booth# C1633

Write to us at [email protected] or call 1-978-784-1776 / 1-800-247-1776 ❱ Continued from page 20 measures need to be in place without impeding the timely workflow process required to receive large content files. These files can be delivered through networks, hard drives or even USB type devices. Many of the files are in a proprietary format (e.g., Apple Pro Res, AVID DNX, etc.) and require special security measures. Network delivery systems such as Signiant and Aspera provide the user a path to implement a security layer. This is defined in the analytical framework in the following areas: • Protective Technology • Detection Process • Continuous Monitoring • Mitigation

3) News and Production — News and production have unique challenges in security. Many of the policies described in “Internet Access” would be included, but there may be many instances where going outside “trusted” sources may be required to obtain “news- worthy” information. Also, microwave technology for backhaul of “live” shots is quickly being replaced with new technology such as “bonded LTE” to provide “live” or file-based content for The report discussed in the article includes a “matrix” based on news, sports or other programming. Another the NIST framework as it applies to segments of the broadcast unique challenge is much of the personnel industry including small radio stations, local broadcast stations, are often not full-time employees, but contract station hub operations and broadcast networks. This is just a workers, per diem production staff and “stringers” (such sample. as photographers and camera operators). Providing the proper training and discipline may be difficult and require careful vetting and clear and easy to understand monitoring through configuration management data- expectations and procedures. This is defined in the ana- bases (CMDB) and other controls. It is recommended that lytical framework in several areas: broadcast organizations address this by making security • Risk Management Strategy an integral part of the requirements for purchasing new • Awareness and Training equipment and services. This is defined in the analytical • Communication framework in the following areas: • Information Protection Processes and Procedures • Asset Management • Risk Management 4) Partners — Without the cooperation of key business • Continuous Monitoring partners’ security measures may be difficult to administer • Detection Processes even within the most disciplined organizations. Broad- cast organizations rely on network providers, satellite Regarding hubbed operations, the obvious security providers, equipment providers and service providers to and redundancy issues regarding protection of the feed ensure all security measures are in place. Unfortunately from the hub require that two diverse routes should be much of the legacy broadcast equipment still in use does employed with firewalls and VPN protection. All other not support security patching, auto updating or system data circuits, computers, digital streaming feeds, feeds

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 22 of any type should be protected as they would be in any cast demilitarized zone (DMZ) separates the broadcast other modern broadcast facility (see stations above). Local Area Network (LAN) from the administration LAN, The best way to accomplish is to work closely with your and provides the necessary protection. As a group, you vendor and security experts. It may be better if they are should review the categories within the NIST Framework, not the same company so there are proper checks and and based upon your initial risk assessment focus on balances. what has the greatest urgency to implement within your Also ensure everyone involved understands their roles broadcast network. Then devise a plan for a review and and responsibilities. Make sure incidents and changes recommendation on the following categories: (1) identify, are properly logged and documented. There should (2) detect, (3) protect, (4) respond, and (5) recover. always be a back out plan for major changes that have an adverse effect. Many systems should have a test lab Once you complete your analysis the next step is to try new software and hardware before it is deployed, implementation. This is not as easy as one would imagine but this may not be possible in a large scale network that since many of the systems involved may never have had cannot be replicated. Put together a response plan and a firewall or constraints (such as virus protection, etc.), so track recovery time for continuous improvement. the approach is to proceed cautiously and carefully: While a hubbed infrastructure provides efficiencies in a multi-station operation it is important to recognize that 1. Access Control — New Firewalls may need to be there is an increased risk which may impact the ability to installed without restrictions so a full audit and analysis provide essential and important services to listeners and could be completed before making changes. viewers in multiple markets. 2. D ata Security — A strict change management process should be instituted so any new Firewall rules could be B. Broadcast Networks — Broadcast Firewall quickly backed out if needed. As a Network Broadcaster Engineering Manager you 3. Information Protection & Process Improvement — A com- have an obligation to the stations that depend on your munication plan should be devised to ensure all stake- distribution of content, including content for public inter- holders were informed of the risks. est and emergency information. There are many legacy 4. Anomalies & Events — The network should be contin- broadcast systems that are not protected from cyberse- uously monitored to detect potential cybersecurity curity attacks, monitored for threats nor properly con- events. trolled. Many IT groups have the necessary talent within their security staff to help identify the risks and create a As you can see it is not only important to place cyber- plan to help mitigate them. It is important to gain sup- security controls within the network, but to collaborate port from your leadership including Technology Officer, within groups go ensure success. It is also recommended Administrative, Programming and Finance before you to have regular meetings with your new “cybersecurity review and then use the NIST Cybersecurity Framework committee” and meet regularly to discuss the latest to protect core network and critical infrastructure used in threats, changes to our security protocols, and next Broadcast Operations. The areas that should be focused step for implementing the framework. Each quarter you on are access points to our critical production, ingest should review the NIST Framework against your business and broadcast systems. This involves possibly installing and look for new ways to improve our systems and pro- inbound/outbound firewall at all campuses. This broad- cesses. n

ADVERTISING SALES REPRESENTATIVES US REGIONAL & CANADA: John Casey Email: [email protected] ADMINISTRATION & PRODUCTION [email protected] Website: www.radioworld.com PUBLISHER John Casey T: 212-378-0400, ext. 512 | F: 330-247-1288

Telephone: (703) 852-4600 EDITORIAL DIRECTOR Paul J. McLane US REGIONAL: Michele Inderrieden Business Fax: (703) 852-4582 PRODUCTION MANAGERS Karen Lee & Lisa McIntosh [email protected] ADVERTISING COORDINATOR Caroline Freeland T: 212-378-0400, ext. 523 | F: 866-572-6156 EDITORIAL STAFF EDITOR IN CHIEF, U.S. Paul J. McLane Radio World Founded by Stevan B. Dana EUROPE, MIDDLE EAST & AFRICA: Raffaella Calabrese EBOOK CONTRIBUTER Tom Vernon [email protected] GEAR & TECHNOLOGY EDITOR Brett Moss Copyright 2017 by NewBay Media, LLC. T: +39-320-891-1938 | F: +39-02-700-436-999

INTERNATIONAL EDITOR IN CHIEF Marguerite Clark All rights reserved. LATIN AMERICA: Susana Saibene TECHNICAL EDITOR, RWEE W.C. “Cris” Alexander Printed in the USA [email protected] TECHNICAL ADVISOR Tom McGinley Globe graphic © iStockphoto.com / Edward Grajeda T: +34-607-31-40-71 CONTRIBUTING EDITOR Emily Reigart

THE INTERNET OF BROADCAST THINGS Radio World | March 2017 23